Two-Thirds of Phishing Emails in Ed Use 'Attached Invoice' Ploy

• By Dian Schaffhauser
• 10/15/18

The most common form of phishing email in education tends to include an attached invoice; 66 percent of hacker attempts use the attached invoice ploy to get unwary recipients to click on an infected link; another 28 percent use a payment notification scheme; and 6 percent try online order tricks.

The findings were shared by digital security vendor Cofense, in its "State of Phishing Defense 2018" report. The company provides online services to organizations that automates response to suspicious emails and also helps them condition their employees to recognize and report phishing. (In other words, the company facilitates employers sending fake emails to test how savvy their workforce is.) For the report, Cofense used data gathered through the experiences of 1,400 clients in 23 industries around the world covering real attack attempts correlated with customer simulation data.

The same analysis found that 11 percent of malicious emails in education reported turned out to be actual phishing attempts, slightly higher than the cross-industry rate of 10 percent. The others were ordinary emails that users just thought were fake. Of course, as the report's authors pointed out, "It takes just one successful phish to inflict a costly toll."

The top phishing campaigns tended to use "invoice" in the subject header. That word appeared in seven of the top 10 headers for actual phishes. Also highly popular: "payment remittance," "statement" and "payment."

More than half of reported phishes across all segments (53 percent) were sent to collect user logins, according to Cofense. This "credential phishing" typically includes a link to a malicious landing page, enabling criminals to gain access to internal data or "establish a network foothold." To protect against this delivery mechanism for malware, the company recommended that organizations use a "steady diet of credential phishing" in their simulation programs., particularly if the operation uses a lot of cloud services.

The report, which called Microsoft Office macros "the Domino's of malware delivery," said that nearly half of all malware analyzed (45 percent) currently "lurks" in Office macros. One option is for schools to disable macros in emails, forcing users to "enable" content before they work with it. Another approach is to block or "gray-list" documents from both known malware sources and unknown sites and balance that with user education.

The security firm recommended that organizations train users "to view attachments suspiciously," especially if they include invoices, online orders or anything that might contain a macro. Also, users need to be on the watch especially during intense periods of financial processing, such as end-of-month, end-of-quarter and end-of-year periods.

Cofense also suggested that organizations run phishing simulations based on real threats and the newest subjects or themes that have been circulating.

"We see phishing emails bypass technology controls every day and more and more end-users recognizing and reporting these threats that slipped past million-dollar defenses," said Aaron Higbee, co-founder and chief technology officer of Cofense, in a statement. "The results of our research...shows that resiliency is building across key industries thanks to those same people that were once deemed as the weakest-links in an organization. These trends are powerful and reinforce that humans are a key element to a successful security program."

The full report, with additional recommendations, is available with registration on the Cofense website.